This would make sense except for one thing: the WAN IP is not anywhere near the range of the static addresses they gave me.
So assume I have this: 12.34.56.78 for my firewall address (as assigned to me by the ISP). And I have 18.25.125.16/29 for my statics. And behind the firewall I am running 192.168.16.0/24 How do I set it up there? I tried 1:1 and I saw the traffic coming from my other connection trying to load a web page (Apache - installed and running fine) and my ICMP traffic. And using the Firewall System Log tab I did the easy rule pass but neither the ICMP nor the Web traffic were passing through and back. Yes, I have confirmed the server gets out to the internet and through the new fiber connection only. > On Jun 25, 2015, at 3:34 PM, ys1338 <[email protected]> wrote: > > > > I believe VIPs can be used in this scenario. > You would have pfSense have the single main IP for its WAN and the remaining > block as VIPs. You then could use NAT to forward them to your LAN port > segment. > -Yaroslav > > -------- Original message -------- > From: Steve Yates <[email protected] <mailto:[email protected]>> > Date: 06/25/2015 4:11 PM (GMT-05:00) > To: pfSense Support and Discussion Mailing List <[email protected] > <mailto:[email protected]>> > Subject: Re: [pfSense] Setting up for 1:1 with block of statics? > > Ryan Coleman wrote on Thu, Jun 25 2015 at 12:00 pm: > >> Ok so I would be better suited, then, utilizing a third firewall? >> >> I have 2 right now on our Cable service: one for basic LAN traffic and one >> for >> specific services behind the firewall (SMTP, FTP, etc.). >> >> I could have this new FTTO/FTTP connection firewall actually do the specific >> services one, too, and route for the IPs? >> >> Here’s what their email said (yes, I did change the IPs to private to keep >> them >> off the net): >>> NOTE: As soon as the remainder of your service setup completed your static >> IP address will be live with this provided info. The rest of the service >> setup >> should be completed very soon. Additionally your 8-block of IP address are >> also >> provisioned. They are being routed to your firewall at 10.0.12.222 Network: >> 192.168.120.16 Netmask: 255.255.255.248 You can contact tech support when >> you are ready to change your MAC address. >> >> As it stands right now the firewall is definitely accessible remotely. And I >> like >> that. It sounds like I would get 6 functional IPs out of the group (17-21 >> and .222) > > Will the servers/PCs behind the firewall have public IPs? If not, and > you want to use NAT, then I don't think one pfSense will work for you. I > suspect you'd need one that takes the packet for 192.168.120.17 arriving at > 10.0.12.222, and passes it to its "LAN" network. Then you could set up a > second pfSense or router that uses 192.168.120.17 as its WAN IP address, uses > other 192.168.120.x IPs as IP aliases (on WAN), and provides NAT to a private > IP range. > > Perhaps someone can jump in if there is a way to combine the two > functions. Maybe with four NICs and a convoluted setup of going out NIC 2 > back into NIC 3, with NIC 4 the private IP network. Seems error-prone, > though. > > -- > > Steve Yates > ITS, Inc. > > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > <https://lists.pfsense.org/mailman/listinfo/list> > Support the project with Gold! https://pfsense.org/gold > <https://pfsense.org/gold> > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > <https://lists.pfsense.org/mailman/listinfo/list> > Support the project with Gold! https://pfsense.org/gold > <https://pfsense.org/gold> _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
